Most of the experts and professionals claiming that broadband data delivered over 3G cellular networks will choke the hope of the WiMAX industry for the standard to become worldwide significant. There are too many factors involved in weakening WiMax security, stability, Quality of service etc. In this chapter I am going to discuss the threats involved in WiMax deployment and in the infrastructure after that.
Since there are many threats to WiMAX, therefore we will restrict our discussion on the most important aspects, and those are the application layer threat, the physical layer threat, the sub-privacy layer threat and the data link layer.
Since there are many threats to WiMAX, therefore we will restrict our discussion on the most important aspects, and those are the application layer threat, the physical layer threat, the sub-privacy layer threat and the data link layer.
Application Layer Threats to WiMAX
software based threat management and secure access solutions will be as essential as ever, with a typical security infrastructure comprising components such as firewalls, virtual private networking (VPN), Internet key exchange (IKE) tunnelling, and intrusion prevention systems (IPS), each of which reside at the application layer.
For example, in an WiMax mesh network installation where routers or gateways will operate as intermediaries, or hot spots linking client and base station, there is an increased potential of security vulnerabilities, as the intermediary routers that reside between base station and client are presentable and vulnerable to attacks. Popular application level services, such as voice over Internet protocol (VoIP), could be broken by hackers who can initiate the download of remote configuration settings and resynchronize clients’ CPE settings to their specifications. Hackers may also replicate, or spoof the address of the intermediary router or server and deceive other clients into believing their connection is secure, thus opening them up to malicious attack. These routers and gateways will require robust security measures to ensure that unprotected clients remain protected behind the intermediary access point.
The majority of existing routers will have their own firewall components that provide Application Layer Gateway (ALG) functionality for the signalling protocols that support and keep multiple sessions. Any deficiency in the ALG functionality could result in diminished QoS for low latency applications, such as VoIP and videoconferencing. OEMs must develop devices with ALGs that permit inward call requests to the devices only from the device registered with the server and endpoints, while dynamically allowing inward media packets only on call set up. These media sessions are to be disabled on termination of the connection.
For example, in an WiMax mesh network installation where routers or gateways will operate as intermediaries, or hot spots linking client and base station, there is an increased potential of security vulnerabilities, as the intermediary routers that reside between base station and client are presentable and vulnerable to attacks. Popular application level services, such as voice over Internet protocol (VoIP), could be broken by hackers who can initiate the download of remote configuration settings and resynchronize clients’ CPE settings to their specifications. Hackers may also replicate, or spoof the address of the intermediary router or server and deceive other clients into believing their connection is secure, thus opening them up to malicious attack. These routers and gateways will require robust security measures to ensure that unprotected clients remain protected behind the intermediary access point.
The majority of existing routers will have their own firewall components that provide Application Layer Gateway (ALG) functionality for the signalling protocols that support and keep multiple sessions. Any deficiency in the ALG functionality could result in diminished QoS for low latency applications, such as VoIP and videoconferencing. OEMs must develop devices with ALGs that permit inward call requests to the devices only from the device registered with the server and endpoints, while dynamically allowing inward media packets only on call set up. These media sessions are to be disabled on termination of the connection.
Physical Layer Threats to WiMAX
Privacy Sub-layer resides on the top of Physical layer in IEEE 802.16 standard, therefore, WiMax networks are open to to physical layer attacks for example, blocking and rushing. Blocking is done by activating a source of strong noise to significantly lowering the capacity of the channel, therefore denying services (DoS) to all stations. However, blocking or jamming is detectable with radio analyzer devices. Rushing or scrambling is another type of jamming, but it takes place for a short interval of time aimed at particular frames. Control or management messages could be jumbled, but it is not possible with delay sensitive message i.e., scrambling Uplink slots are comparatively hard, because attacker has to interpret control information and to send noise during a particular interval.
Privacy Sub Layer Threats to WiMAX
Privacy Sub-layer’s main objective was to protect service providers against theft of service, rather than securing network users. It is obvious that the privacy layer only secures data at the data link layer, but it does not ensure complete encryption of user data. Furthermore, it does not protect physical layer from being interrupted. It is essential to include technologies to secure physical layer and higher layer security for a converged routable network and devices within the system.
Data Link Layer Threats to WiMAX
In a typical Wi-Fi mechanism, a digital subscriber line (DSL) feeds a packet-ized bit stream into a modem or access point, which in turn broadcasts a radio signal; often encrypted to Wi-Fi enabled clients that de-packet this data into information. In a WiMAX installation, a fixed wireless base station, similar in concept to a cell phone tower, serves an always-on radio signal directly accessible by WiMAX enabled clients, with no need for leased lines or an intermediate access point.
Like Wi-Fi, the WiMax Media Access Control (MAC) protocol, a sub layer of the data link layer, manage the consumer’s access to the physical layer. However, the scheduling algorithm within the WiMAX MAC protocol offers optimal prioritization of this traffic based on First-In First-Out (FIFO) scheduling, in which clients seeking access to the base station are allocated bandwidth upon time of initial access, instead of random queue assignment based on order of MAC address as in Wi-Fi. Furthermore, the WiMax MAC protocol ensures optimal quality of service (QoS) over its WiFi predecessor, allocating bandwidth effectively by balancing client’s needs instead of best effort service; that is, equal distribution of what remains after allocation to other consumers.
In addition, before encrypting the radio signal with Wired Equivalent Privacy (WEP), WPA/PSK, or any other existing Layer 2 security protocol, WiMax basic authentication architecture, by default, employs X.509-based public key infrastructure (PKI) certificate authorization, in which the base station authenticates the client’s digital certificate prior to granting access to the physical layer.
Like Wi-Fi, the WiMax Media Access Control (MAC) protocol, a sub layer of the data link layer, manage the consumer’s access to the physical layer. However, the scheduling algorithm within the WiMAX MAC protocol offers optimal prioritization of this traffic based on First-In First-Out (FIFO) scheduling, in which clients seeking access to the base station are allocated bandwidth upon time of initial access, instead of random queue assignment based on order of MAC address as in Wi-Fi. Furthermore, the WiMax MAC protocol ensures optimal quality of service (QoS) over its WiFi predecessor, allocating bandwidth effectively by balancing client’s needs instead of best effort service; that is, equal distribution of what remains after allocation to other consumers.
In addition, before encrypting the radio signal with Wired Equivalent Privacy (WEP), WPA/PSK, or any other existing Layer 2 security protocol, WiMax basic authentication architecture, by default, employs X.509-based public key infrastructure (PKI) certificate authorization, in which the base station authenticates the client’s digital certificate prior to granting access to the physical layer.
No comments:
Post a Comment